A storage area network (SAN) may be implemented as a high-speed, special purpose network that interconnects different kinds of data storage devices with associated data servers on behalf of a large network of users. Typically, a storage area network is part of the overall network of computing resources for an enterprise. The storage area network is usually clustered in close geographical proximity to other computing resources, such as mainframe computers, but may also extend to remote locations for backup and archival storage using wide area network carrier technologies.
In many SAN environments, a SAN administrative user manages user access to SAN resources, such as applications and storage, using a SAN management software program. These users are typically administrative personnel themselves, who need to configure, monitor, and manage some portion of the SAN as part of their jobs. For example, the SAN administrative user may wish to allow a network technician access to switches in the network to alter their configurations, add new switches, etc. However, existing SAN management software generally gives the SAN administrative user limited options for controlling user access—either the user gets access to all of the SAN resources in a fabric or the user does not get any access to the SAN resources in the fabric.
Unfortunately, such course access control does not meet the more sophisticated requirements of modern SAN management. For example, for security and safety reasons, a SAN administrative user may wish to allow one user to alter the configuration of an individual port on a given switch but not wish to give that user the ability to alter other ports on that same switch. Existing approaches do not allow this level of user access control.